The legislation also permits the commissioner to conduct assessments of privacy performance for both Australian government agencies and private companies.

The reforms introduce a single set of privacy principles called the Australian Privacy Principles (APPs) and a number of changes to how personal information is handled, including when it can be used for direct marketing and sent overseas.

Communications Alliance CEO John Stanton praised Attorney General Nicola Roxon and her staff for working with the ICT industry to come up with a successful conclusion to resolving what he called the "Australian Link" issue.

This issue is the introduction of provisions restricting the ability of credit card providers to disclose credit eligibility to entities that do not have a presence in Australia.

“The prohibition on disclosure of any credit-related information to organisations that do not have an Australian link would have major impacts for companies with existing offshore call centres and data processing facilities,” Stanton said in a statement.

The Association for Data-driven Marketing & Advertising (ADMA)'s CEO Jodie Sangster also welcomed the amendments but said she was “disappointed” that the opportunity to create a model privacy framework for the digital era had been missed.

"The government, opposition and parliamentary committees have produced a workable set of APPs including one for marketing, introducing positive credit reporting and updating the powers of the privacy commissioner,” Sangster said in a statement.

However, she added that were still important aspects relating to the use of social media and online channels that needed to be negotiated with privacy commissioner Timothy Pilgrim.

“We hope to develop codes and guidelines for digital and online platforms that will promote and enhance consumer protection and privacy whilst making privacy issues more manageable for business,” Sangster said.

ADMA had lobbied for amendments to the Bill on behalf of the Australian marketing and advertising industry.

These included:

Removing the prohibition on direct marketing

Reducing the requirement to include opt-out notices on all marketing communications

Limiting the obligation to allow customers to engage under a pseudonym

Re-configuring the requirement on transfer of data.

She added that that while this week's developments removed some of the uncertainty around changes to privacy laws, the government's intentions for mandatory data breach notification and a civil right to privacy were “still unknown.”

“Businesses have enough to deal with in ensuring they are complying with the new privacy law in 2013,” Sangster said.

“It would be beneficial to allow businesses to deal with the latest privacy changes before imposing yet more laws.”

Legal ramifications

Middletons partner Cameron Abbott who specialises in ICT law, advised that organisations that collect or hold information in Australia will need to change their practices to comply with the Privacy Bill before commencement in 15 months’ time.
He also said that the APPs replace the existing National Privacy Principles and Information Privacy Principles governing the collection, use, disclosure and maintenance of personal information by both public and private sector organisations.

For example, there have been changes with APP 1 which covers open and transparent management of personal information.

“APP 1 contains new obligations regarding data transparency, and specifies the information that must be included by organisations in their privacy policies,” he said in a statement.

“Organisations will need to specify how an individual can make a complaint about a breach of their privacy, whether the organisation is likely to disclose information overseas, and, if practicable, the locations in which personal information is likely to be held or disclosed.”
Abbott added that organisations will need to ensure that their privacy policy is permanently available to the public by posting the policy on the organisation’s website.

Turning to APP 5, which covers notification of the collection of personal information, he said that existing collection of personal information notification requirements will be expanded.

“Organisations will be required to disclose the circumstances in which they collected the information if not directly from the individual, whether they are likely to disclose the information overseas, and the location of any likely overseas disclosure."

Lastly, Abbott examined APP 8, which covers cross-border disclosure of personal information. Under this principle, organisations must take reasonable steps to ensure that the recipient of the information does not breach the APPs.
“Importantly, although organisations that meet this requirement will be permitted to disclose information lawfully, they may still be held liable for any breach of the APPs by the recipient and be penalised,” he said.

This article and the comments within it should not be construed as legal advice

Top Whitepapers

More and more government agencies are turning to a BYOD strategy. While this can make more transactions mobile and potentially decrease IT costs, they may also make the agency vulnerable to security breaches.
•One of the biggest threats is social engineering, a process by which an adversary tricks the user into offering up information or access rights.
•While there are several types of social engineering to be on the lookout for, there are three dominant attacks to watch
•As agencies debate expanded device and data management policies, creating a divide between personal and professional content is essential

Copyright 2015 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.